void CG21_PI_FACTOR

void CG21_PI_FACTOR_PROVE()

in src/cg21/cg21_pi_factor.c [321:491]
113 lines of code
1 McCabe index (conditional complexity)

void CG21_PI_FACTOR_PROVE(const CG21_PiFACTOR_SECRETS *r1priv, const CG21_PiFACTOR_COMMIT *r1pub, CG21_PiFACTOR_PROOF *proof,
                          octet *p1, octet *q1, octet *e){

    BIG_1024_58 e_[HFLEN_2048];
    BIG_1024_58 e_2[FFLEN_2048 + HFLEN_2048];
    BIG_1024_58 e_3[2*FFLEN_2048 + HFLEN_2048];
    BIG_1024_58 t5[FFLEN_2048 + HFLEN_2048];
    BIG_1024_58 t6[3*FFLEN_2048];
    BIG_1024_58 t7[FFLEN_2048 + HFLEN_2048];
    BIG_1024_58 t8[2*FFLEN_2048 + HFLEN_2048];
    BIG_1024_58 t9[5*FFLEN_2048];
    BIG_1024_58 t10[2*FFLEN_2048 + HFLEN_2048];

    BIG_1024_58 pF[FFLEN_2048];
    BIG_1024_58 qF[FFLEN_2048];

    char oct[3*FS_2048];
    octet OCT = {0, sizeof(oct), oct};

    char p[FS_2048] = {0};
    octet p_ = {0,sizeof(p),p};

    char qq[FS_2048];
    octet q_ = {0,sizeof(qq),qq};

    OCT_copy(&p_, p1);
    OCT_copy(&q_, q1);

    OCT_pad(&p_, FS_2048);
    OCT_pad(&q_, FS_2048);
    FF_2048_fromOctet(pF, &p_, FFLEN_2048);
    FF_2048_fromOctet(qF, &q_, FFLEN_2048);

    // load e as HFLEN_2048 in e_
    OCT_copy(&OCT, e);
    OCT_pad(&OCT, HFS_2048);
    FF_2048_fromOctet(e_, &OCT, HFLEN_2048);

    // load e as FS_2048+HFS_2048 in e_2
    OCT_copy(&OCT, e);
    OCT_pad(&OCT, FS_2048+HFS_2048);
    FF_2048_fromOctet(e_2, &OCT, FFLEN_2048 + HFLEN_2048);

    // load e as 2*FS_2048+HFS_2048 in e_3
    OCT_copy(&OCT, e);
    OCT_pad(&OCT, 2*FS_2048+HFS_2048);
    FF_2048_fromOctet(e_3, &OCT, 2*FFLEN_2048 + HFLEN_2048);

    /*  z1 = e*p + alpha  */
    // zeroise variables
    FF_2048_zero(t5, FFLEN_2048+HFLEN_2048);
    FF_2048_zero(t7, FFLEN_2048+HFLEN_2048);
    FF_2048_zero(t8, FFLEN_2048+HFLEN_2048);

    OCT_clear(&OCT);
    OCT_copy(&OCT, r1priv->alpha);
    OCT_pad(&OCT, FS_2048+HFS_2048);
    FF_2048_fromOctet(t5, &OCT, FFLEN_2048+HFLEN_2048);

    CG21_FF_2048_amul(t7, e_, HFLEN_2048, pF, FFLEN_2048); // t7 = e*p
    FF_2048_add(t8, t7, t5, FFLEN_2048+HFLEN_2048);                // t3 = e*p + alpha
    FF_2048_norm(t8, FFLEN_2048+HFLEN_2048);
    FF_2048_toOctet(proof->z1,t8,FFLEN_2048+HFLEN_2048);

    /*  z2 = e*q + beta  */
    // zeroise variables
    FF_2048_zero(t5, FFLEN_2048+HFLEN_2048);
    FF_2048_zero(t7, FFLEN_2048+HFLEN_2048);
    FF_2048_zero(t8, FFLEN_2048+HFLEN_2048);

    OCT_clear(&OCT);
    OCT_copy(&OCT, r1priv->beta);
    OCT_pad(&OCT, FS_2048+HFS_2048);
    FF_2048_fromOctet(t5, &OCT, FFLEN_2048+HFLEN_2048);

    CG21_FF_2048_amul(t7, e_, HFLEN_2048, qF, FFLEN_2048); // t7 = e*p
    FF_2048_add(t8, t7, t5, FFLEN_2048+HFLEN_2048);                // t3 = e*p + alpha
    FF_2048_norm(t8, FFLEN_2048+HFLEN_2048);
    FF_2048_toOctet(proof->z2,t8,FFLEN_2048+HFLEN_2048);

    /*  w1 = e*mu + x  */
    // zeroise variables
    FF_2048_zero(t5, FFLEN_2048 + HFLEN_2048);
    FF_2048_zero(t6, 3*FFLEN_2048);
    FF_2048_zero(t7, FFLEN_2048 + HFLEN_2048);

    // load mu
    OCT_clear(&OCT);
    OCT_copy(&OCT, r1priv->mu);
    OCT_pad(&OCT, FS_2048+HFS_2048);
    FF_2048_fromOctet(t5, &OCT, FFLEN_2048 + HFLEN_2048);

    CG21_FF_2048_amul(t6, e_, HFLEN_2048, t5, FFLEN_2048 + HFLEN_2048); // t6 = e*mu

    //load x
    OCT_clear(&OCT);
    OCT_copy(&OCT, r1priv->x);
    OCT_pad(&OCT, FS_2048+HFS_2048);
    FF_2048_fromOctet(t5, &OCT, FFLEN_2048 + HFLEN_2048);

    FF_2048_add(t7, t6, t5, FFLEN_2048 + HFLEN_2048);          // t7 = e*mu + x
    FF_2048_norm(t7, FFLEN_2048 + HFLEN_2048);
    FF_2048_toOctet(proof->w1,t7,FFLEN_2048 + HFLEN_2048);

    /*  w2 = e*nu + y  */
    // zeroise variables
    FF_2048_zero(t5, FFLEN_2048 + HFLEN_2048);
    FF_2048_zero(t6, 3*FFLEN_2048);
    FF_2048_zero(t7, FFLEN_2048 + HFLEN_2048);

    // load mu
    OCT_clear(&OCT);
    OCT_copy(&OCT, r1priv->nu);
    OCT_pad(&OCT, FS_2048+HFS_2048);
    FF_2048_fromOctet(t5, &OCT, FFLEN_2048 + HFLEN_2048);

    CG21_FF_2048_amul(t6, e_, HFLEN_2048, t5, FFLEN_2048 + HFLEN_2048); // t6 = e*nu

    //load y
    OCT_clear(&OCT);
    OCT_copy(&OCT, r1priv->y);
    OCT_pad(&OCT, FS_2048+HFS_2048);
    FF_2048_fromOctet(t5, &OCT, FFLEN_2048 + HFLEN_2048);

    FF_2048_add(t7, t6, t5, FFLEN_2048 + HFLEN_2048);          // t7 = e*nu + y
    FF_2048_norm(t7, FFLEN_2048 + HFLEN_2048);
    FF_2048_toOctet(proof->w2,t7,FFLEN_2048 + HFLEN_2048);

    /*  v = e*hat{sigma} + r  */
    // zeroise variables
    FF_2048_zero(t5, FFLEN_2048 + HFLEN_2048);
    FF_2048_zero(t6, 3*FFLEN_2048);
    FF_2048_zero(t7, FFLEN_2048 + HFLEN_2048);
    FF_2048_zero(t8, 2*FFLEN_2048 + HFLEN_2048);
    FF_2048_zero(t9, 5*FFLEN_2048);
    FF_2048_zero(t10, 2*FFLEN_2048 + HFLEN_2048);

    //hat{sigma} = sigma - nu*p
    // load sigma
    OCT_clear(&OCT);
    OCT_copy(&OCT, r1pub->sigma);
    OCT_pad(&OCT, 2*FS_2048+HFS_2048);
    FF_2048_fromOctet(t8, &OCT, 2*FFLEN_2048 + HFLEN_2048); // t8 = sigma

    // load nu
    OCT_clear(&OCT);
    OCT_copy(&OCT, r1priv->nu);
    OCT_pad(&OCT, 2*FS_2048);
    FF_2048_fromOctet(t10, &OCT, 2*FFLEN_2048);   // t10 = nu

    // in amul xlen * k = ylen should hold, that's why we load r1priv->nu as 2*FFLEN_2048
    // and not as FFLEN_2048 + HFLEN_2048
    CG21_FF_2048_amul(t6, pF, FFLEN_2048, t10, 2*FFLEN_2048); // t6 = nu*p
    FF_2048_zero(t10, 2*FFLEN_2048 + HFLEN_2048);
    FF_2048_sub(t10, t8, t6, 2*FFLEN_2048 + HFLEN_2048);          // t10 = hat{sigma} = sigma - nu*p
    FF_2048_norm(t10, 2*FFLEN_2048 + HFLEN_2048);

    CG21_FF_2048_amul(t9, e_, HFLEN_2048, t10, 2*FFLEN_2048 + HFLEN_2048); // t9 = e*hat{sigma}

    // load r
    OCT_clear(&OCT);
    OCT_copy(&OCT, r1priv->r);
    OCT_pad(&OCT, 2*FS_2048+HFS_2048);
    FF_2048_fromOctet(t8, &OCT, 2*FFLEN_2048 + HFLEN_2048);         // t8 = r

    FF_2048_add(t10, t8, t9, 2*FFLEN_2048 + HFLEN_2048);          // t10 = e*hat{sigma} + r
    FF_2048_norm(t10, 2*FFLEN_2048 + HFLEN_2048);
    FF_2048_toOctet(proof->v,t10,2*FFLEN_2048 + HFLEN_2048);


}